Google analyzed the “secret questions” used by its vast userbase and was not surprised to learn that they are mostly terrible.
In a blog post at the company’s Online Security Blog, Elie Bursztein said that
“secret questions are neither secure nor reliable enough to be used as a standalone account recovery mechanism.”
“That’s because they suffer from a fundamental flaw,” Bursztein wrote. “Their answers are either somewhat secure or easy to remember—but rarely both.”
Here are some specific insights:
With a single guess, an attacker would have a 19.7% chance of guessing English-speaking users’ answers to the question
• “What is your favorite food?” (it was ‘pizza’, by the way)
With ten guesses, an attacker would have a nearly 24% chance of guessing Arabic-speaking users’ answer to the question• “What’s your first teacher’s name?”
With ten guesses, an attacker would have a 21% chance of guessing Spanish-speaking users’ answers to the question,• “What is your father’s middle name?”
With ten guesses, an attacker would have a 39% chance of guessing Korean-speaking users’ answers to the question “What is your city of birth?” and a 43% chance of guessing their favorite food.
They’re not the first to acknowledge the problems with secret questions.